b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits and Inspections\n\n\n\n\nAudit Report\nThe Department\'s Configuration\nManagement of Non-Financial\nSystems\n\n\n\n\nOAS-M-12-02                          February 2012\n\x0c                                  Department of Energy\n                                     Washington, DC 20585\n\n                                        February 23, 2012\n\nMEMORANDUM FOR THE CHIEF INFORMATION OFFICER,\n               CHIEF INFORMATION OFFICER, NATIONAL NUCLEAR\n                  SECURITY ADMINISTRATION, AND\n               DIRECTOR, OFFICE OF SCIENCE\n\n\n\nFROM:                    Rickey R. Hass\n                         Deputy Inspector General\n                            for Audits and Inspections\n                         Office of Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "The Department\'s Configuration\n                         Management of Non-Financial Systems"\nBACKGROUND\n\nThe Department of Energy utilizes many types of information technology (IT) systems to\nsupport its various missions related to environmental cleanup, national security, energy and\nscientific research. Protecting these systems has become increasingly challenging as the\nfrequency and sophistication of cyber attacks continues to rise. A key component of helping to\nensure an adequate information security posture is the implementation of an effective\nconfiguration management program. Configuration management helps to protect the\nconfidentiality, integrity and availability of IT resources through controls over the processes for\ninitializing, changing and monitoring information systems. For instance, active management and\ntesting of configurations is essential for identifying and remediating vulnerabilities in systems\nand applications. Furthermore, effective use of change controls is integral for managing updates\nto system configurations and should include proper approvals, testing and validation, and\nevaluation of security implications of changes.\nPrior Office of Inspector General (OIG) reports identified systemic issues with the Department\'s\ncyber security and configuration management programs. For instance, our annual evaluation of\nThe Department\'s Unclassified Cyber Security Program identified weaknesses related to\nconfiguration management over financial systems for each of the past six years. In light of the\nneed to ensure effective security practices over the Department\'s information systems and the\nchallenges noted in prior OIG reports, we initiated this audit to determine whether the\nDepartment implemented an effective configuration management process over non-financial\nsystems. This review supplements our annual financial statement audit and Federal Information\nSecurity Management Act (FISMA) evaluation, and focused on non-financial systems and certain\nsites and observations not included in our other reviews.\n\nCONCLUSIONS AND OBSERVATIONS\n\nWe found that the Department had not implemented sufficient controls over its configuration\nmanagement processes for non-financial systems. The issues we identified were similar to what\n\x0cwe observed with financial systems in our most recent evaluation report of The Department\'s\nUnclassified Cyber Security Program - 2011 (DOE/IG-0856, October 2011). Security patches\ndesigned to mitigate system vulnerabilities had not been applied in a timely manner for desktops,\napplications and servers. In addition, organizations and sites reviewed had not always followed\neffective procedures to ensure that changes to systems and applications were properly tested and\napproved prior to implementation.\n\n                                    Vulnerability Management\n\nAlthough the organizations and sites reviewed had policies and procedures for conducting\nperiodic vulnerability scans of information systems, we found internal vulnerabilities at each\nlocation that negatively impacted the security of desktops, non-financial applications, and at two\nsites, system servers. In addition, we identified external vulnerabilities at one location. External\nassessments are conducted from outside an organization\'s security perimeter and offer the ability\nto view the environment\'s security posture as it appears from outside the entity with the goal of\nrevealing vulnerabilities that could be exploited by an external attacker. Internal vulnerability\nassessments assume the identity of a trusted insider or an attacker who has penetrated perimeter\ndefenses. During our internal vulnerability testing, we utilized both authenticated and\nunauthenticated scanning. Authenticated scanning uses login names and passwords to simulate a\nuser being on the system, while unauthenticated scanning does not use login credentials and\ntypically identifies basic internal network setting vulnerabilities. In particular:\n\n   \xe2\x80\xa2   Scans of desktop machines that could access selected non-financial systems found that\n       414 of 714 (58 percent) contained vulnerabilities designated as medium or high risk in\n       the National Vulnerability Database, which is sponsored by the Department of Homeland\n       Security. For example, at one Office of Science (Science) site, we found that 56 of 131\n       (43 percent) desktops contained vulnerabilities. Similarly, 209 of 319 (66 percent)\n       desktops tested at a National Nuclear Security Administration (NNSA) site and all 38\n       desktops reviewed for one Headquarters organization contained vulnerabilities. We\n       determined that numerous desktops were running programs that were missing security\n       patches or updates that were more than 3 months old. In some instances, patches for\n       identified vulnerabilities had been released by the vendor more than one year prior to our\n       testing. Two organizations and three sites reviewed were also utilizing unpatched\n       versions of office automation software that could have presented the risk that an attacker\n       would be able to execute malicious code or disrupt system operations;\n\n   \xe2\x80\xa2   We identified 14 vulnerabilities at 2 organizations and 3 sites that affected various system\n       applications, including those used to support functions such as procurement and security.\n       Eight of the vulnerabilities were high risk, including at least one that could have been\n       exploited by an attacker to compromise key internal systems and sensitive data. The\n       remaining six weaknesses were medium risk and included vulnerable input validation\n       techniques that could be used by an attacker to obtain unauthorized access to data within\n       the database. Other vulnerabilities identified during our testing of the applications\n       included problems with data protection, access controls, authorization management and\n\n\n                                                 2\n\x0c       data sanitization \xe2\x80\x93 all of which could have allowed a malicious attacker to obtain user\n       credentials, steal sensitive information, or potentially execute malicious programs on the\n       Department\'s systems;\n\n   \xe2\x80\xa2   At 2 sites, we identified 13 system servers that contained 5 different types of high risk\n       vulnerabilities. Specifically, servers containing potentially sensitive information were\n       missing security patches for various operating systems even though the patches had been\n       released by the vendor more than 30 days prior to our testing. In some instances, patches\n       that had been released by the vendor over two years prior to our testing had not been\n       applied. Absent remediation of the identified weaknesses, the sites were at risk for\n       remote code execution by attackers that could disrupt normal business operations or have\n       negative impacts on system and data reliability; and,\n\n   \xe2\x80\xa2   In addition to the vulnerabilities identified during our internal testing, we also found\n       weaknesses at one site during our external vulnerability assessment. Specifically, we\n       determined that a vulnerability existed on a system in which a remote server could allow\n       anonymous access to the system. This issue could have resulted in the disclosure of\n       information that an attacker could find useful to conduct future exploits. Although\n       officials stated that they had accepted the risk posed by the vulnerability, we found that\n       the acceptance process was informal, lacked a detailed analysis and occurred only after\n       we brought the vulnerability to management\'s attention during our testing.\n\nThe weaknesses described above occurred because procedures were not adequate for identifying\nand remediating vulnerabilities in a timely manner. For instance, a policy at one site stated that\nidentified high and medium risk vulnerabilities should be remediated within seven days of\nidentification. However, we noted that many of the weaknesses identified were more than three\nmonths old because the site\'s vulnerability scanning process did not include authenticated scans \xe2\x80\x93\na key testing method used to identify weaknesses. As such, many of the weaknesses we\nidentified went undetected by the site during its testing. Notably, subsequent to our testing,\nofficials acknowledged that authenticated scanning would be beneficial and commented that they\nwould seek to implement it in the future.\nAt another site, procedures permitted various amounts of time to pass before vulnerabilities were\nrequired to be remediated. Specifically, a scoring process was used to assess the risk of system\nand vulnerability attributes such as number of missing patches, severity of the patches and the\ntime elapsed since the patches were required. Once the system score reached a certain threshold,\nthe system administrator had seven days to remediate the vulnerability or the system would be\nblocked from accessing certain network services. While the site stated that it relies on a defense-\nin-depth approach to cyber security, we found that the procedures described above allowed\nknown vulnerabilities to remain uncorrected on systems for an extended period even when a\npatch was available.\n\nWithout improvements to its vulnerability management program, the Department\'s desktops,\nnon-financial applications and servers continue to be at risk from internal and external threats.\nAs noted, many of the vulnerabilities we identified created the potential for an attacker to gain\nunauthorized access to the Department\'s systems and information.\n\n                                                 3\n\x0c                                    System Change Controls\n\nChanges to non-financial information systems and applications at six organizations and sites\nreviewed were not always properly approved, tested or evaluated for security risks prior to their\nimplementation. As noted by the National Institute of Standards and Technology (NIST), an\neffective change control process is necessary to ensure that only authorized changes are made to\nsystems and that the integrity and security of the system remains intact. In particular, we found:\n\n   \xe2\x80\xa2   The Department had not documented approvals for each configuration change made to\n       the systems reviewed. Specifically, although each of the organizations and sites reviewed\n       had established a process for making changes to information systems, we found that 44 of\n       197 (22 percent) change requests reviewed did not have documented authorizations\n       indicating that the change had been approved in advance of being initiated. For instance,\n       all 44 change requests reviewed within the Office of the Chief Information Officer\n       (OCIO) lacked documented approvals. Although officials informed us that the proposed\n       changes were reviewed by the OCIO Change Advisory Board, there was no evidence of\n       its decision to accept or deny change requests;\n\n   \xe2\x80\xa2   The Department had not always determined the potential security risks and impacts of\n       system changes prior to actually implementing them. While NIST guidance stressed the\n       need to approve changes to a system with consideration for security implications, we\n       found that the majority of the changes reviewed either did not have a security impact\n       analysis or the analysis was not complete. For example, at Brookhaven National\n       Laboratory (BNL), all 34 changes reviewed were missing documented security impact\n       analyses. In addition, 10 of 44 change requests within OCIO were approved for\n       implementation even though there was no data or inadequate data provided in the "Risk\n       Impact/Assessment" field of the change control form; and,\n\n   \xe2\x80\xa2   Forty-three of 197 (22 percent) changes evaluated did not have test plans and/or test\n       results that analyzed potential functional and security impacts. For example, OCIO had\n       insufficient or no test plans for half of the system changes reviewed. Also, the Los\n       Alamos National Laboratory (LANL) was unable to provide test plans for 10 of the 12\n       system changes reviewed. In responding to our report, NNSA officials commented that\n       the LANL changes reviewed did not require test plans because the changes were\n       considered "Fast Track" work tickets. However, no information was provided to support\n       this process during our test work, and we found that the system for which the changes\n       occurred did not have a formal change control process in place to describe any such\n       procedures.\n\nThe change control weaknesses we identified occurred because procedures were not always\nadequate for addressing approval, testing or evaluation for security risk prior to implementation.\nFor instance, we noted that while the change control procedures at certain Department\norganizations addressed the development and execution of testing plans, others did not. In\nparticular, the Configuration Management Plan for Science at Headquarters did not include\ndetails or requirements for testing system changes prior to implementation. In addition, BNL\nofficials stated that formalized test plans for system updates and patches were not documented\n                                                 4\n\x0cbecause the system changes were not complex and were of a routine nature. Furthermore, while\ncertain organizations and sites had established change control guidance, the procedures did not\nalways address the need for a formal security impact analysis. For example, the Office of the\nChief Financial Officer\'s management plan stated that changes were evaluated based on overall\nimpact. While we noted that the impact assessment did address functionality, cost and schedule,\nit did not include a security analysis. In addition, change control procedures at one organization\nand one site required a security analysis; however, in many cases, there was no evidence that the\nanalysis was completed even though the changes were approved.\n\nFailure to properly test changes prior to employing them in business or other support systems\ncould have a significant impact on system security, data reliability and system operation. In\naddition, assessing the potential security impact of system changes is essential to maintaining the\nsecurity posture and minimizing the risk of a security incident adversely affecting the system.\n\nRECOMMENDATION\n\nAs part of our evaluation of The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2011,\nwhich focused primarily on financial systems, we provided a recommendation to develop and\nimplement, as needed, procedures and processes to adequately secure systems and applications.\nWe believe this prior recommendation, once fully implemented, will also help address the\nadequacy of vulnerability management and change control procedures and processes relating to\nnon-financial systems.\n\nHowever, during the course of this audit, we identified new configuration management\nweaknesses that increase the risk of compromise of systems and applications that we reviewed.\nDetailed information regarding these weaknesses was provided to management at each location\nwhere vulnerabilities were identified. We acknowledge that many of the weaknesses we\nidentified may be corrected by the Department if it fully implements the recommendations\ncontained in the above report. Nevertheless, to ensure that the vulnerabilities identified during\nthis review are corrected in a timely manner, we recommend that the Department and NNSA\nChief Information Officers work with organizations and sites, as necessary, to correct the\nspecific weaknesses identified in this report.\n\nMANAGEMENT REACTION AND AUDITOR COMMENTS\n\nDepartment management concurred with the report\'s recommended action and stated that the\nissues identified should be corrected during the implementation of planned corrective actions to\naddress our report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2011. In separate\ncomments, NNSA management concurred with the report\'s recommended action but expressed\nconcern that we did not accurately report that the vulnerabilities identified were found using\nelevated access privileges. We acknowledge that we were provided with user names and\npasswords for our internal system work, which was meant to simulate an authenticated system\nuser. As such, the internal vulnerabilities we reported could potentially be exploited by individuals\nwith authenticated credentials. The external vulnerabilities, however, were discovered without the\n\n\n                                                 5\n\x0cbenefit of elevated privileges and could have been exploited by any external user. Management\'s\ncomments can be found in Attachment 3.\nAttachments\n\ncc:   Deputy Secretary\n      Associate Deputy Secretary\n      Under Secretary for Nuclear Security\n      Chief Health, Safety and Security Officer\n      Chief of Staff\n\n\n\n\n                                                  6\n\x0c                                                                                     Attachment 1\n\n\n                       OBJECTIVE, SCOPE AND METHODOLOGY\n\nOBJECTIVE\n\nTo determine whether the Department of Energy (Department) implemented an effective\nconfiguration management process over non-financial systems.\n\nSCOPE\n\nThe audit was performed between November 2010 and February 2012 at Department\nHeadquarters in Washington, DC and Germantown, Maryland; and National Nuclear Security\nAdministration (NNSA) and Under Secretary for Science locations. The audit included internal\nand external vulnerability scanning conducted by KPMG, LLC on behalf of the Office of\nInspector General. Systems we selected for review were unclassified, non-financial systems,\ncategorized as moderate according to the Federal Information Processing Standards, and a\nmajor application or general support system. We conducted external testing of networks and\nsystems as an outsider without any elevated privileges. We conducted internal system scanning\nas an authenticated user, that is a user with a valid user name and password, and reported on\nvulnerabilities that could be exploited by both an insider and a remote attacker. In addition, our\nwork did not include a determination of whether vulnerabilities found were actually exploited\nand used to circumvent existing controls.\n\nMETHODOLOGY\n\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2   Reviewed Federal laws and regulations pertaining to information and cyber security such\n       as the Federal Information Security Management Act of 2002;\n\n   \xe2\x80\xa2   Reviewed applicable standards and guidance issued by the Office of Management and\n       Budget and the National Institute of Standards and Technology (NIST), such as NIST\n       Special Publication 800-53, Recommended Security Controls for Federal Information\n       Systems, and the Consensus Audit Guidelines;\n\n   \xe2\x80\xa2   Obtained and analyzed documentation from Department organizations and sites\n       pertaining to configuration management programs; and,\n\n   \xe2\x80\xa2   Held discussions with officials from the Department and NNSA.\n\nWe conducted this audit in accordance with generally accepted Government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective. Accordingly, we assessed significant internal\ncontrols and compliance with laws and regulations to the extent necessary to satisfy the audit\nobjective. In particular, we assessed the Department\'s implementation of the Government\n\n                                                 7\n\x0c                                                                         Attachment 1 (continued)\n\nPerformance and Results Act of 1993 and determined that while it did not have specific\nperformance measures for configuration management, it had established performance measures\nto improve information technology policy and oversight. Because our review was limited, it\nwould not have necessarily disclosed all internal control deficiencies that may have existed at the\ntime of our audit. We did not solely rely on computer-processed data to satisfy our objective.\nComputer-assisted audit tools were used to perform probes and scans of various networks and\ndrives. We validated the results of the scans by confirming the weaknesses disclosed with\nresponsible on-site personnel and performed other procedures to satisfy ourselves as to the\nreliability and competence of the data produced by the tests. In addition, we confirmed the\nvalidity of other data, when appropriate, by reviewing supporting source documents.\n\nThe Department and NNSA waived an exit conference.\n\n\n\n\n                                                 8\n\x0c                                                                                     Attachment 2\n\n\n                                    RELATED REPORTS\n\nOffice of Inspector General Reports\n\n   \xe2\x80\xa2   Audit Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2011\n       (DOE/IG-0856, October 2011). Although positive steps had been taken to address\n       previously identified cyber security weaknesses, additional action was needed to further\n       strengthen the Department of Energy\'s (Department) unclassified cyber security program\n       and help address threats to its information systems. Weaknesses were found in areas of\n       access controls, vulnerability management, web application integrity, contingency\n       planning, change control and cyber security training. These weaknesses occurred, in part,\n       because the Department had not ensured that cyber security requirements included all\n       necessary elements and were properly implemented; and program elements did not\n       always utilize effective performance monitoring activities to ensure that appropriate\n       security controls were in place.\n\n   \xe2\x80\xa2   Audit Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2010\n       (DOE/IG-0843, October 2010). Although corrective actions had been taken to resolve\n       configuration management vulnerabilities identified in our Fiscal Year (FY) 2009\n       evaluation, weaknesses in these areas persisted. Specifically, problems discovered during\n       the review were attributed to inadequate configuration and vulnerability management\n       controls. Performance testing revealed that all 17 locations reviewed had varying degrees\n       of vulnerable applications on desktop and network systems and devices.\n\n   \xe2\x80\xa2   Audit Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2009\n       (DOE/IG-0828, October 2009). Weaknesses with configuration management remained at\n       a number of Department sites. Specifically, weaknesses included software vulnerabilities\n       and deficiencies in implementing common security configurations. Additionally,\n       numerous sites had not implemented the Federal Desktop Core Configurations mandated\n       by the Office of Management and Budget.\n\n   \xe2\x80\xa2   Audit Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2008\n       (DOE/IG-0801, September 2008). In regards to configuration management, this report\n       identified weaknesses such as outdated or not appropriately patched software. If software\n       with known vulnerabilities is not updated in a timely manner, the risk that the systems\n       could be compromised increases. Also, a number of Department sites or organizations\n       had not disabled unneeded computer services for their publicly accessible websites.\n       These services increased the risk of malicious damage to these websites. Additionally,\n       the report found that a financial system was not set to log account administrative activity,\n       an essential control which permits management reviews. Furthermore, the report found\n       that certain organizations and sites had not implemented protective measures requiring\n       the adoption of standard desktop configurations and that security controls at another site\n       on computers mostly assigned to foreign nationals from nonsensitive countries were not\n       implemented.\n\n\n\n\n                                                9\n\x0c                                                                      Attachment 2 (continued)\n\n\nGovernment Accountability Office Report\n\n   \xe2\x80\xa2   Report on Cyber Security \xe2\x80\x93 Continued Attention Needed to Protect Our Nation\'s Critical\n       Infrastructure and Federal Information Systems (GAO-11-463T, March 2011). The U.S.\n       Government Accountability Office (GAO) continued to identify protecting the Federal\n       government\'s information systems and the Nation\'s cyber critical infrastructure as a\n       government-wide high risk area. Federal systems continue to be afflicted by persistent\n       information security control weaknesses. For example, as part of its audit of the FY 2010\n       Financial Statements for the U.S. Government, GAO determined that serious and\n       widespread information security control deficiencies were a government-wide material\n       weakness.\n\n\n\n\n                                              10\n\x0c                      Attachment 3\n\n\nMANAGEMENT COMMENTS\n\n\n\n\n        11\n\x0c     Attachment 3 (continued)\n\n\n\n\n12\n\x0c     Attachment 3 (continued)\n\n\n\n\n13\n\x0c     Attachment 3 (continued)\n\n\n\n\n14\n\x0c                                                             IG Report No. OAS-M-12-02\n\n                          CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n     1. What additional background information about the selection, scheduling, scope,\n        or procedures of the audit or inspection would have been helpful to the reader in\n        understanding this report?\n\n     2. What additional information related to findings and recommendations could\n        have been included in the report to assist management in implementing\n        corrective actions?\n\n     3. What format, stylistic, or organizational changes might have made this report\'s\n        overall message more clear to the reader?\n\n     4. What additional actions could the Office of Inspector General have taken on the\n        issues discussed in this report which would have been helpful?\n\n     5. Please include your name and telephone number so that we may contact you\n        should we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                         http://energy.gov/ig\n\n      Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'